ArrowChat contains a flaw that allows an attacker to traverse outside of a restricted path. The issue is due to the external.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'lang' parameter. This directory traversal attack would allow a local attacker to include arbitrary files.

// Load another language if lang GET value is set and exists
if (var_check('lang'))
{
$lang = get_var('lang');